...

Source file src/k8s.io/kubernetes/pkg/securitycontext/util_test.go

Documentation: k8s.io/kubernetes/pkg/securitycontext 

     1  /*
     2  Copyright 2014 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package securitycontext
    18  
    19  import (
    20  	"reflect"
    21  	"testing"
    22  
    23  	v1 "k8s.io/api/core/v1"
    24  	utilptr "k8s.io/utils/pointer"
    25  )
    26  
    27  func TestAddNoNewPrivileges(t *testing.T) {
    28  	pfalse := false
    29  	ptrue := true
    30  
    31  	tests := map[string]struct {
    32  		sc     *v1.SecurityContext
    33  		expect bool
    34  	}{
    35  		"allowPrivilegeEscalation nil security context nil": {
    36  			sc:     nil,
    37  			expect: false,
    38  		},
    39  		"allowPrivilegeEscalation nil": {
    40  			sc: &v1.SecurityContext{
    41  				AllowPrivilegeEscalation: nil,
    42  			},
    43  			expect: false,
    44  		},
    45  		"allowPrivilegeEscalation false": {
    46  			sc: &v1.SecurityContext{
    47  				AllowPrivilegeEscalation: &pfalse,
    48  			},
    49  			expect: true,
    50  		},
    51  		"allowPrivilegeEscalation true": {
    52  			sc: &v1.SecurityContext{
    53  				AllowPrivilegeEscalation: &ptrue,
    54  			},
    55  			expect: false,
    56  		},
    57  	}
    58  
    59  	for k, v := range tests {
    60  		actual := AddNoNewPrivileges(v.sc)
    61  		if actual != v.expect {
    62  			t.Errorf("%s failed, expected %t but received %t", k, v.expect, actual)
    63  		}
    64  	}
    65  }
    66  
    67  func TestConvertToRuntimeMaskedPaths(t *testing.T) {
    68  	dPM := v1.DefaultProcMount
    69  	uPM := v1.UnmaskedProcMount
    70  	tests := map[string]struct {
    71  		pm     *v1.ProcMountType
    72  		expect []string
    73  	}{
    74  		"procMount nil": {
    75  			pm:     nil,
    76  			expect: defaultMaskedPaths,
    77  		},
    78  		"procMount default": {
    79  			pm:     &dPM,
    80  			expect: defaultMaskedPaths,
    81  		},
    82  		"procMount unmasked": {
    83  			pm:     &uPM,
    84  			expect: []string{},
    85  		},
    86  	}
    87  
    88  	for k, v := range tests {
    89  		actual := ConvertToRuntimeMaskedPaths(v.pm)
    90  		if !reflect.DeepEqual(actual, v.expect) {
    91  			t.Errorf("%s failed, expected %#v but received %#v", k, v.expect, actual)
    92  		}
    93  	}
    94  }
    95  
    96  func TestConvertToRuntimeReadonlyPaths(t *testing.T) {
    97  	dPM := v1.DefaultProcMount
    98  	uPM := v1.UnmaskedProcMount
    99  	tests := map[string]struct {
   100  		pm     *v1.ProcMountType
   101  		expect []string
   102  	}{
   103  		"procMount nil": {
   104  			pm:     nil,
   105  			expect: defaultReadonlyPaths,
   106  		},
   107  		"procMount default": {
   108  			pm:     &dPM,
   109  			expect: defaultReadonlyPaths,
   110  		},
   111  		"procMount unmasked": {
   112  			pm:     &uPM,
   113  			expect: []string{},
   114  		},
   115  	}
   116  
   117  	for k, v := range tests {
   118  		actual := ConvertToRuntimeReadonlyPaths(v.pm)
   119  		if !reflect.DeepEqual(actual, v.expect) {
   120  			t.Errorf("%s failed, expected %#v but received %#v", k, v.expect, actual)
   121  		}
   122  	}
   123  }
   124  
   125  func TestDetermineEffectiveRunAsUser(t *testing.T) {
   126  	tests := []struct {
   127  		desc          string
   128  		pod           *v1.Pod
   129  		container     *v1.Container
   130  		wantRunAsUser *int64
   131  	}{
   132  		{
   133  			desc: "no securityContext in pod, no securityContext in container",
   134  			pod: &v1.Pod{
   135  				Spec: v1.PodSpec{},
   136  			},
   137  			container:     &v1.Container{},
   138  			wantRunAsUser: nil,
   139  		},
   140  		{
   141  			desc: "no runAsUser in pod, no runAsUser in container",
   142  			pod: &v1.Pod{
   143  				Spec: v1.PodSpec{
   144  					SecurityContext: &v1.PodSecurityContext{},
   145  				},
   146  			},
   147  			container: &v1.Container{
   148  				SecurityContext: &v1.SecurityContext{},
   149  			},
   150  			wantRunAsUser: nil,
   151  		},
   152  		{
   153  			desc: "runAsUser in pod, no runAsUser in container",
   154  			pod: &v1.Pod{
   155  				Spec: v1.PodSpec{
   156  					SecurityContext: &v1.PodSecurityContext{
   157  						RunAsUser: new(int64),
   158  					},
   159  				},
   160  			},
   161  			container: &v1.Container{
   162  				SecurityContext: &v1.SecurityContext{},
   163  			},
   164  			wantRunAsUser: new(int64),
   165  		},
   166  		{
   167  			desc: "no runAsUser in pod, runAsUser in container",
   168  			pod: &v1.Pod{
   169  				Spec: v1.PodSpec{
   170  					SecurityContext: &v1.PodSecurityContext{},
   171  				},
   172  			},
   173  			container: &v1.Container{
   174  				SecurityContext: &v1.SecurityContext{
   175  					RunAsUser: new(int64),
   176  				},
   177  			},
   178  			wantRunAsUser: new(int64),
   179  		},
   180  		{
   181  			desc: "no runAsUser in pod, runAsUser in container",
   182  			pod: &v1.Pod{
   183  				Spec: v1.PodSpec{
   184  					SecurityContext: &v1.PodSecurityContext{
   185  						RunAsUser: new(int64),
   186  					},
   187  				},
   188  			},
   189  			container: &v1.Container{
   190  				SecurityContext: &v1.SecurityContext{
   191  					RunAsUser: utilptr.Int64Ptr(1),
   192  				},
   193  			},
   194  			wantRunAsUser: utilptr.Int64Ptr(1),
   195  		},
   196  	}
   197  
   198  	for _, test := range tests {
   199  		t.Run(test.desc, func(t *testing.T) {
   200  			runAsUser, ok := DetermineEffectiveRunAsUser(test.pod, test.container)
   201  			if !ok && test.wantRunAsUser != nil {
   202  				t.Errorf("DetermineEffectiveRunAsUser(%v, %v) = %v, want %d", test.pod, test.container, runAsUser, *test.wantRunAsUser)
   203  			}
   204  			if ok && test.wantRunAsUser == nil {
   205  				t.Errorf("DetermineEffectiveRunAsUser(%v, %v) = %d, want %v", test.pod, test.container, *runAsUser, test.wantRunAsUser)
   206  			}
   207  			if ok && test.wantRunAsUser != nil && *runAsUser != *test.wantRunAsUser {
   208  				t.Errorf("DetermineEffectiveRunAsUser(%v, %v) = %d, want %d", test.pod, test.container, *runAsUser, *test.wantRunAsUser)
   209  			}
   210  		})
   211  	}
   212  }
   213  

View as plain text